Windows Information Protection
Use this profile configuration to assign a Windows Information Protection policy to your devices when:
Only one Windows Information Protection profile configuration can be assigned and installed on a device. Additional Windows Information Protection profile configurations assigned to a device will be ignored.
General
Use the options on the General tab of the WIP profile configuration to control the behavior of WIP on your devices.
Protection Level | Select one of the following options to set the protection level
for your enterprise data.
|
Allow User to Decrypt Data | When enabled, device users can decrypt any data created or edited by enforced applications by entering the file's Properties and deselecting the appropriate checkboxes. |
Revoke Encryption Keys on Device Unenrollment | When enabled, the device user's local encryption keys are revoked when the device is unenrolled. |
Allow Encrypted Data and Store Apps to Appear in Windows Search | When enabled, Windows Search can search and index encrypted corporate data and Store applications. |
Data Recovery Certificate | Use this section to add data recovery certificates. A data
recovery certificate enables you to recover encrypted data that
might be lost if an account is locked or becomes inaccessible, by
verifying your right to access that information. Note: It is
recommended that you use a Data Recovery Agent (DRA) template
from ADCS.
|
Applications
Use the Applications tab to specify which applications have access to enterprise data on your devices.
Applications are divided into two sections: Legacy Applications
(*.msi
) and Modern Applications (*.appx
).
Applications with a lightbulb icon are Enlightened Applications. Enlightened
applications can differentiate between corporate and personal data and only encrypt
corporate data. Unenlightened applications consider all data corporate and encrypt
everything. Exempt applications are allowed to access enterprise data without
encrypting it.
For each application you can select one of the following options:
- Allow: Applies your WIP policy to this application
- Block: Blocks the application from accessing your enterprise data
- Exempt: Exempts the applications from your WIP policy, allowing it to access enterprise data without encryption. This option is primarily for applications that may have compatibility issues with WIP but are necessary for your company's productivity. Use this option carefully as exemption from WIP increases the chances of a data leak from your applications.
Networks
Use the Networks tab to set boundaries for the Windows Information Protection profile configuration. Each of the three network setting types (IP Address Range, Network Domain, and Protected Domain) must be configured, and you can configure multiple values for each type.
Enterprise Cloud Resource
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the the denoted proxy server on Port 80.
Domain | Enter a qualified enterprise resource domain. |
Proxy | This field is optional. Enter the address of a proxy associated with the domain. |
Enterprise Cloud Resources App Compatibility switch permits a connection to certain IP addresses. Connections to cloud resources through an IP address are blocked by default as Windows cannot tell the difference between a cloud resource and a personal site.
IP Address Range
Enter the range of IP addresses where enterprise data is accessible to your device users. Device users cannot access enterprise data while they are outside this range. You can add multiple IP address ranges.
Type | Select an internet protocol version: IPv4 or IPv6. |
Starting Address | Enter the starting address for your IP address range. |
Ending Address | Enter the ending address for your IP address range. |
Enterprise IP Ranges are Authoritive switch tells the client to accept the configured list and not to attempt to find other subnets. Related to the list of IP Address Ranges, and is a yes or no across all addresses in that list.
Enterprise Internal Proxy Servers
These proxies which are considered to be enterprise network locations, have been configured by the administrator to connect to specific resources on the internet. You should not add servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Address | Enter the address of a specific resource on the internet. For
example, sample.internalproxy1.com |
Domains
Enter the network or protected domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name. All traffic to the network domains on this list will be protected. You can add multiple domains.
Type | Select the domain type you are configuring. This field is read-only when you are editing an existing domain. |
Location | Enter a fully qualified domain name. |
Enterprise Proxy Servers
Any server on this list is considered non-enterprise.
Address | Enter the address of a valid Enterprise Proxy Server. |
Enterprise Proxy Servers are Authoritative switch tells the client to accept the configured list of proxies and not to detect other work proxies.
Neutral Resources
List of domain names that can be used for a work or personal resource.
Location | Enter the address of a location that is considered enterprise or
personal, based on the context of the connection before the
redirection. For example, sts.contoso.com . |